Method and apparatus for public-key cryptography based on structured matrices

ABSTRACT

A method of generating a public key and a secret key using a key generator is disclosed. The method includes acquiring an affine map and a secret central map, and generating a public key and a secret key using the affine map and the secret central map, in which the secret central map is expressed as a system of o multivariate quadratic polynomials, the system of o multivariate quadratic polynomials can be expressed as a structured matrix or a product of a submatrix of a structured matrix and a vector when v linear equations and v variables defined on a finite field are given.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority under 35 U.S.C. § 119 from Korean Patent Application No. 10-2019-0149105 filed on Nov. 19, 2019, this disclosures of which are hereby incorporated by reference in their entireties.

TECHNICAL FIELD

The present invention relates to public-key cryptography, and, in particular, to a method and an apparatus which can perform a digital signature algorithm based on multivariate quadratic polynomials based on structured matrices.

DISCUSSION OF RELATED ART

Digital signature based on multivariate quadratic polynomials refers to digital signature (or referred to as “electronic signature”) used in a multivariate cryptography system. Here, a multivariate cryptography system refers to a system having asymmetric cryptographic primitives based on multivariate polynomials defined on a finite field. In particular, when a degree of multivariate polynomials used in the multivariate cryptography system is 2, the multivariate cryptography system is referred to as a cryptography system based on multivariate quadratic polynomials.

SUMMARY

A technical object of the present invention is to provide a method, an apparatus, and a computer program, which can perform an electronic signature algorithm based on multivariate quadratic polynomials that can greatly reduce a length of a secret key by using structured matrices and quickly generate signatures by increasing efficiency in calculation.

According to embodiments of the present invention, a method of generating a public key and a secret key using a key generator includes acquiring an affine map {tilde over (T)} and a map

:

^(n)→

_(q) ^(m), and generating a public key

=

∘T and a secret key (

, {tilde over (T)}) using the affine map and the map, in which the map

:

^(n)→

_(q) ^(m) is expressed as a system

_(V) ⁽¹⁾, . . . ,

_(V) ^((o)) of O multivariate quadratic polynomials, and the system

_(V) ⁽¹⁾, . . . ,

_(V) ^((o)) of O multivariate quadratic polynomials is expressed as below when υ linear equations L₁, . . . , L_(υ) and υ variables χ₁, . . . , χ_(υ) defined on a finite field

_(q) are given

$\mspace{20mu} {{\begin{pmatrix} \mathcal{F}_{\text{?}}^{(\text{?})} \\ \mathcal{F}_{\text{?}}^{(\text{?})} \\ \ldots \\ \mathcal{F}_{\text{?}}^{(\text{?})} \end{pmatrix} = {{\begin{pmatrix} {x_{\text{?}}\mspace{14mu} x_{\text{?}}\mspace{14mu} \ldots \mspace{11mu} x_{\text{?}}} \\ \ldots \\ \ldots \\ \ldots \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \ldots \\ L_{\text{?}} \end{pmatrix}} = {M_{\text{?}} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \ldots \\ L_{\text{?}} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$

in which T:

_(q) ^(n)→

_(q) ^(n), {tilde over (T)}=T⁻¹, M_(V) is a structured matrix or a submatrix of a structured matrix, m=o, V={1, . . . , υ}, O={υ+1, . . . , υ+o}, |V|=υ, |O|=o, V is an index set for defining Vinegar variables, and O is an index set for defining Oil variables.

A computer program which is stored in a storage medium stores the method of generating a public key and a secret key using a key generator.

According to the embodiments of the present invention, an electronic signer includes the key generator configured to perform the method of generating a public key and a secret key, a signature generator configured to generate an electronic signature σ of a message M using the affine map {tilde over (T)}, the map

, and the message M, and a signature verifier configured to verify the electronic signature σ using the message M, the electronic signature σ, and the public key

=

∘T, in which the signature generator calculates a hash message H(M)=ξ for the message M, calculates a solution s=(s₁, . . . , s_(n)) of

(x)=ξ using

⁻¹(ξ)=s when ξ=(ξ₁, . . . , ξ_(m)) is given, and calculates {tilde over (T)}(s)=σ, the signature verifier determines whether P(σ)=H(M) and verifies the electronic signature σ according to a result of the determination, H:{0, 1}*→

_(q) ^(m), and H(M)=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m).

According to the embodiments of the present invention, a method of generating a public key and a secret key using a key generator includes acquiring an affine map {tilde over (T)} and a map

:

^(n)→

_(q) ^(m), and generating a public key

=

∘T and a secret key (

, {tilde over (T)}) using the affine map and the map, in which the map

:

^(n)→

_(q) ^(m) is expressed as a system

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o)) of O multivariate quadratic polynomials, and the system

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o)) of O multivariate quadratic polynomials is expressed as below when υ variables χ₁, . . . , χ_(υ) and O variables χ_(υ+1), χ_(υ+2), . . . , χ_(υ+o) defined on a finite field

_(q) are given

$\begin{matrix} \begin{matrix} {\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ \mathcal{F}_{OV}^{()} \end{pmatrix} = {{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \ldots & {v^{T}a_{\text{?}\text{?}}} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \ldots & {v^{T}a_{\text{?}\text{?}}} \\ \vdots & \vdots & \ddots & \vdots \\ {v^{T}a_{\text{?}\; 1}} & {v^{T}a_{\text{?}\; 2}} & \ldots & {v^{T}a_{\text{?}\text{?}}} \end{pmatrix}\begin{pmatrix} x_{\text{?} + 1} \\ \text{?} \\ \vdots \\ x_{\text{?} + \text{?}} \end{pmatrix}} +}} \\ {{B\begin{pmatrix} x_{\text{?} + 1} \\ x_{\text{?} + 2} \\ \vdots \\ x_{\text{?} + \text{?}} \end{pmatrix}}} \\ {= {{\begin{pmatrix} v^{T} & 0 & \ldots & 0 \\ 0 & v^{T} & \ldots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \ldots & v^{T} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \ldots & a_{1\text{?}} \\ a_{21} & a_{22} & \ldots & a_{2\text{?}} \\ \vdots & \vdots & \ddots & \vdots \\ a_{\text{?}1} & a_{11} & \ldots & a_{\text{?}\text{?}} \end{pmatrix}\begin{pmatrix} x_{\text{?} + 1} \\ \text{?} \\ \vdots \\ x_{\text{?} + \text{?}} \end{pmatrix}} +}} \\ {{{B\begin{pmatrix} x_{\text{?} + 1} \\ x_{\text{?} + 2} \\ \vdots \\ x_{\text{?} + \text{?}} \end{pmatrix}},}} \end{matrix} & \; \\ {\text{?}\text{indicates text missing or illegible when filed}} & \; \end{matrix}$

in which,

$\mspace{20mu} {{B = \begin{pmatrix} b_{11} & b_{12} & \ldots & b_{1\text{?}} \\ b_{21} & b_{22} & \ldots & b_{2\text{?}} \\ \vdots & \vdots & \ddots & \vdots \\ b_{\text{?}1} & b_{\text{?}2} & \ldots & b_{\text{?}\text{?}} \end{pmatrix}},\mspace{20mu} {M_{OV} = \begin{pmatrix} a_{11} & a_{12} & \ldots & a_{1\text{?}} \\ a_{21} & a_{22} & \ldots & a_{2\text{?}} \\ \vdots & \vdots & \ddots & \vdots \\ a_{\text{?}1} & a_{\text{?}2} & \ldots & a_{\text{?}\text{?}} \end{pmatrix}},{\text{?}\text{indicates text missing or illegible when filed}}}$

v^(T)=[χ₁ χ₂ . . . χ_(υ)], T:

_(q) ^(n)→

_(q) ^(n), {tilde over (T)}=T⁻¹, and, when each column vector a_(ij) is regarded as an element of one matrix, each column vector a_(ij) is selected such that M_(OV) is a structured matrix and element values of b_(ij) are selected such that B is also a structured matrix of the same form as M_(OV).

A computer program that is stored in a storage medium stores the method of generating a public key and a secret key using a key generator.

According to the embodiments of the present invention, an electronic signer further includes the key generator configured to perform the method of generating a public key and a secret key, a signature generator configured to generate an electronic signature σ of a message M using the affine map {tilde over (T)}, the map

, and the message M, and a signature verifier configured to verify the electronic signature σ using the message M, the electronic signature σ, and the public key

=

∘T, in which the signature generator calculates a hash messages H(M)=ξ for the message M, calculates a solution of s=(s₁, . . . , s_(n)) of

(x)=ξ using

⁻¹(ξ)=s when ξ=(ξ₁, . . . , ξ_(m)) is given, and calculates {tilde over (T)}(s)=σ, the signature verifier determines whether P(σ)=H(M) and verifies the electronic signature σ according to a result of the determination, H:{0, 1}*→

_(q) ^(m), and H(M)=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m).

According to the embodiments of the present invention, a method of generating a public key and a secret key using a key generator includes acquiring a first affine map {tilde over (S)}, a second affine map {tilde over (T)}, and a map

:

^(n)→

_(q) ^(m), and generating a public key

=S∘

∘T and a secret key ({tilde over (S)},

, {tilde over (T)}) using the first affine map, the second affine map, and the map, in which, when the map

:

^(n)→

_(q) ^(m) is expressed as a system

=

, . . . ,

^((m)) of multivariate quadratic polynomials having m=o₁+o₂ polynomials and n=υ+m variables,

^((i)) for i=1, . . . , o₁ is expressed as below

$\mspace{20mu} \left\{ {\begin{matrix} {{\mathcal{F}^{(1)}\left( \text{?} \right)} = {{\mathcal{F}_{V}^{(1)}\left( \text{?} \right)} + {\mathcal{F}_{OV}^{(1)}\left( \text{?} \right)} + \text{?}}} \\ \vdots \\ {{\mathcal{F}^{(o_{1})}\left( \text{?} \right)} = {\text{?} + {\text{?}\left( \text{?} \right)} + \text{?}}} \end{matrix},{\text{?}\text{indicates text missing or illegible when filed}}} \right.$

_(V) ^((i)) for i=1, . . . , o₁ is expressed as below when υ linear polynomials L₁, . . . , L_(υ) and υ variables χ₁, . . . , χ_(υ) defined on a finite field

_(q) are given

${\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \vdots \\ \mathcal{F}_{V}^{(o_{1})} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & x_{o} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ L_{v} \end{pmatrix}} = {M_{v} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ L_{v} \end{pmatrix}}}},$

in which M_(V) ¹ is a structured matrix or a submatrix of a structured matrix,

^((i)) for i=o₁+1, . . . , m is expressed as below

$\mspace{20mu} \left\{ {\begin{matrix} {{\mathcal{F}^{({o_{1} + 1})}\left( \text{?} \right)} = {{\text{?}\left( \text{?} \right)} + {\text{?}\left( \text{?} \right)} + \text{?}}} \\ \vdots \\ {{\text{?}\left( \text{?} \right)} = {{\text{?}\left( \text{?} \right)} + \text{?} + \text{?}}} \end{matrix},{\text{?}\text{indicates text missing or illegible when filed}}} \right.$

and

_(V) ^((i)) for i=o₁+1, . . . , m is expressed as below when linear equations L′₁, . . . , L′_(υ+o) ₁ with υ+o₁ variables and υ+o₁ variables are given

$\mspace{20mu} {{\begin{pmatrix} \mathcal{F}_{V}^{({o_{1} + 1})} \\ \mathcal{F}_{V}^{({o_{1} + 2})} \\ \vdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V}^{2} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$

in which M_(V) ² is a structured matrix or a submatrix of a structured matrix, m=o₁+o₂, S:

_(q) ^(m)→

_(q) ^(m), T:

_(q) ^(n)→

_(q) ^(n), {tilde over (S)}=S⁻¹, {tilde over (T)}=T⁻¹, V={1, . . . , υ}, O₁={υ+1, . . . , υ+o₁}, and O₂={υ+o₁+1, . . . , υ+o₁+o₂}, in which |V|=υ, |O_(i)|=o_(i) for i=1 and 2, V is an index set for defining Vinegar variables, O₁ and O₂ are index sets for defining Oil variables.

According to the embodiments of the present invention, a method of generating a public key and a secret key using a key generator includes acquiring a first affine map ({tilde over (S)}) a second affine map ({tilde over (T)}), and a map (

:

^(n)→

_(q) ^(m)), and generating a public key

=S∘

∘T and a secret key ({tilde over (S)},

, {tilde over (T)}) using the first affine map, the second affine map, and the map, in which the map

:

^(n)→

_(q) ^(m) is expressed as a system

=

, . . . ,

^((m)) of m=o₁+o₂ multivariate quadratic polynomials, a system

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o) ^(i) ⁾ of the O₁ multivariate quadratic polynomials is expressed as below when υ variables (χ₁, . . . , χ_(υ)) and O₁ variables (χ_(υ+1), χ_(υ+2), . . . , χ_(υ+o) ₁ ) defined on a finite field

_(q) are given

${\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \cdots & \text{?} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & \text{?} \\ 0 & v^{T} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}},{\text{?}\text{indicates text missing or illegible when filed}}$

in which,

$\mspace{20mu} {M_{{OV},1} = {{\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\mspace{14mu} {and}\mspace{14mu} B_{1}} = \begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}$ ?indicates text missing or illegible when filed

are given, v^(T)=[χ₁ χ₂ . . . χ_(υ)], each column vector a_(ij) is selected such that M_(OV,1) is a structured matrix and element values of b_(ij) are selected such that B₁ is also a structure matrix of the same form as M_(OV,1), when each column vector a_(ij) is regarded as an element of one matrix, and

_(OV) ^((i)) for i=o₁+1, . . . , m is given as below

${\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & \text{?} \\ 0 & v^{T} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} a_{11}^{\prime} & a_{12}^{\prime} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}},{\text{?}\text{indicates text missing or illegible when filed}}$

in which

$\mspace{20mu} {M_{{OV},2} = {{\begin{pmatrix} a_{11}^{\prime} & a_{12}^{\prime} & \cdots & \text{?} \\ a_{21}^{\prime} & a_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\mspace{14mu} {and}\mspace{14mu} B_{2}} = \begin{pmatrix} b_{11}^{\prime} & b_{12}^{\prime} & \cdots & \text{?} \\ b_{21}^{\prime} & b_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}$ ?indicates text missing or illegible when filed

are given, v′^(T)=[χ₁ χ₂ . . . χ_(υ+o) ₁ ], each column vector a′_(ij) is regarded as elements of one matrix, each column vector a′_(ij) is selected such that M_(OV,2) is a structured matrix and element values of b′_(ij) are selected such that B₂ is also a structured matrix of the same form as M_(OV,2) when each column vector a′_(ij) is regarded as an element of one matrix, S:

_(q) ^(m)→

_(q) ^(m), T:

_(q) ^(n)→

_(q) ^(n), {tilde over (S)}=S⁻¹, {tilde over (T)}=T⁻¹.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an electronic signer based on multivariate quadratic polynomials with one layer according to embodiments of the present invention;

FIG. 2 is a flowchart for describing an operation of the electronic signer based on multivariate quadratic polynomials shown in FIG. 1;

FIG. 3 is a block diagram of an electronic signer based on multivariate quadratic polynomials with two layers according to embodiments of the present invention; and

FIG. 4 is a flowchart for describing an operation of the electronic signer based on multivariate quadratic polynomials shown in FIG. 3.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

In the present specification, an electronic signature algorithm (or an apparatus, a method, and/or a computer program stored in a storage medium capable of performing the electronic signature algorithm) based on a generation of systems of multivariate quadratic polynomials (or equations), which can be expressed by a product of a structured matrix (or a submatrix of the structured matrix) and a vector after performing a suitable operation or operations, is disclosed.

1. Generation of O (here, O is a natural number) quadratic polynomials which can be expressed by product of structured matrix or submatrix of structured matrix and vector using υ (Here, υ is a natural number) linear polynomials and υ variables (here, χ_(i), 1≤i≤υ).

When

_(q) is a finite field with q (here, q is a natural number) elements, and υ linear polynomials (L₁, . . . , L_(υ)) and υ variables (χ₁, . . . , χ_(υ)) defined on the finite field (

_(q)) are given, a system (

_(V) ⁽¹⁾, . . . ,

_(V) ^((o))) of O quadratic polynomials, which can be expressed in a form of a product of a structured matrix (or a submatrix of a structured matrix) and a vector as shown in Equation 1 is generated.

The system (

_(V) ⁽¹⁾, . . . ,

_(V) ^((o))) of quadratic polynomials will be expressed by Equation 1, in which M_(V) is defined as a structured matrix (or a submatrix of a structured matrix).

$\begin{matrix} {\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \vdots \\ \mathcal{F}_{V}^{(o)} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & x_{o} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ L_{v} \end{pmatrix}} = {M_{v} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ L_{v} \end{pmatrix}}}} & \left\lbrack {{Equation}\mspace{14mu} 1} \right\rbrack \end{matrix}$

Here, the structure matrix includes a case in which complexity of the product of a structured matrix (or a submatrix of a structured matrix) and a vector is less than or equal to O(υ²).

1-1. Structured Matrix is Circulant Matrix

When υ linear polynomials (L₁, . . . , L_(υ)) and υ variables (χ₁, . . . , χ_(υ)) are given to an apparatus or a computer program, a system (

_(V) ⁽¹⁾, . . . ,

_(V) ^((o))) of O quadratic polynomials is generated as shown in Equation 2. Here, O is the number of quadratic polynomials, which is represented as O when there is one layer, and, when there are two layers, a first layer thereof is represented as O₁ and a second layer is represented as O₂.

$\begin{matrix} {\mspace{79mu} {{\mathcal{F}_{V}^{(1)} = {{x_{1} \cdot L_{1}} + {x_{2} \cdot L_{2}} + \ldots + {\text{?} \cdot \text{?}}}}\mspace{79mu} {\mathcal{F}_{V}^{(2)} = {{\text{?} \cdot L_{1}} + {x_{1} \cdot L_{2}} + \ldots + {\text{?} \cdot \text{?}}}}\mspace{79mu} {\ldots,\mspace{79mu} {\mathcal{F}_{V}^{(o)} = {{\text{?} \cdot L_{1}} + {\text{?} \cdot L_{2}} + \ldots + {\text{?} \cdot \text{?}}}}}{\text{?}\text{indicates text missing or illegible when filed}}}} & \left\lbrack {{Equation}\mspace{14mu} 2} \right\rbrack \end{matrix}$

The system of quadratic polynomials in Equation 2 needs to be expressed in the form of a product of a circulant matrix (or a submatrix of a circulant matrix) and a vector as shown in Equation 3. That is, M_(V) in Equation 3 is a circulant matrix or a submatrix of a circulant matrix.

$\begin{matrix} {\mspace{79mu} {{\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}}}}{\text{?}\text{indicates text missing or illegible when filed}}}} & \left\lbrack {{Equation}\mspace{14mu} 3} \right\rbrack \end{matrix}$

1-2. Additional Generation of System of Quadratic Equations Expressed by Block Circulant Matrix

After quadratic polynomials for variables (χ₁, . . . , X_(υ)) are selected as described in 1-1, a system (

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o))) of quadratic polynomials for o(=2k) (Here, k is a natural number) variables (χ_(υ+1), χ_(υ+2), . . . , χ_(υ+o)) is additionally generated as shown in Equation 4.

$\begin{matrix} {{\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \cdots & \text{?} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & \text{?} \\ 0 & v^{T} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}}{M_{OV} = {\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = {\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} P & \text{?} \\ \text{?} & S \end{pmatrix}}}}{B = {\begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 4} \right\rbrack \end{matrix}$

Here v^(T)=[χ₁ χ₂ . . . χ_(υ)], each of P, Q, R, S is a circulant matrix of vectors, M_(OV) is a block circulant matrix of the vectors, and B is also a block circulant matrix with the same structure as M_(OV).

A system of quadratic equations such as in Equation 5 without quadratic terms that satisfy χ_(i)χ_(j), i, j=υ+1, .. . , υ+o (here, each of i and j is a natural number) is generated by combining the system of quadratic polynomials in Equation 4 and the system of quadratic polynomials in Equation 2. Here, δ_(i) is a constant term selected in the finite field (

_(q)).

$\begin{matrix} {\mspace{79mu} \left\{ {\begin{matrix} {{\mathcal{F}^{(1)}\left( \text{?} \right)} = {{\mathcal{F}_{V}^{(1)}\left( \text{?} \right)} + {\mathcal{F}_{OV}^{(1)}\left( \text{?} \right)} + \text{?}}} \\ \vdots \\ {{\mathcal{F}^{(o)}\left( \text{?} \right)} = {{{\mathcal{F}_{V}^{(o)}\left( \text{?} \right)}\text{?}} + {\mathcal{F}_{OV}^{(o)}\left( \text{?} \right)} + \text{?}}} \end{matrix}\text{?}\text{indicates text missing or illegible when filed}} \right.} & \left\lbrack {{Equation}\mspace{14mu} 5} \right\rbrack \end{matrix}$

2. Generation of System of Quadratic Equations in Which Coefficient Matrix Has Structured Matrix Structure

In a system of quadratic polynomials having n=υ+o (n is a natural number) variables which can be expressed as shown in equation 6, it is assumed that there is a system (

_(OV) ^((i))) of quadratic polynomials for υ variables (χ₁, . . . , χ_(υ)) and O variables (χ_(υ+1), χ_(υ+2), . . . , χ_(υ+o)).

$\begin{matrix} {{\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \cdots & \text{?} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & \text{?} \\ 0 & v^{T} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 6} \right\rbrack \end{matrix}$

Here, v^(T)=[χ₁ χ₂ . . . χ_(υ)], and B and M_(OV) are expressed as shown in Equation 7.

$\begin{matrix} {\mspace{79mu} {{{B = \begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}},{M_{OV} = \begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}{\text{?}\text{indicates text missing or illegible when filed}}}} & \left\lbrack {{Equation}\mspace{14mu} 7} \right\rbrack \end{matrix}$

Here, when each column vector a_(ij) is regarded as an element of one matrix, each column vector a_(ij) is selected such that M_(OV) is a structured matrix, element values of b_(ij) are selected such that B is a structure matrix of the same form as M_(OV), thereby a system of desired quadratic polynomials is generated.

Here, the structured matrix includes a case in which complexity of obtaining an existing structured matrix or inverse matrix, or finding a solution of a system of a linear equation having a structured matrix as a coefficient matrix is less than or equal to O(n²). At this time, a size of the coefficient matrix of the system of a linear equation is n×n.

2-1. M_(OV) and B Are Block Circulant Matrices (BC).

When (o=2k) is an even number, M_(OV) and B are selected such that M_(OV) and B are block circulant matrices, respectively, as shown in Equations 8 and 9.

$\begin{matrix} {{M_{OV} = {\begin{pmatrix} a_{11} & a_{12} & \cdots & a_{\text{?}} \\ a_{21} & a_{22} & \cdots & a_{\text{?}} \\ \vdots & \vdots & \ddots & \vdots \\ a_{o1} & a_{o2} & \cdots & a_{\text{?}} \end{pmatrix} = {\begin{pmatrix} p_{1} & p_{2} & \cdots & p_{k} & q_{1} & q_{2} & \cdots & q_{k} \\ p_{k} & p_{1} & \cdots & p_{k - 1} & q_{k} & q_{1} & \cdots & q_{k - 1} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ p_{2} & p_{3} & \cdots & p_{1} & q_{2} & q_{3} & \cdots & q_{1} \\ r_{1} & r_{2} & \cdots & r_{k} & s_{1} & s_{2} & \cdots & s_{k} \\ r_{k} & r_{1} & \cdots & r_{k - 1} & s_{k} & s_{1} & \cdots & s_{k - 1} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ r_{2} & r_{3} & \cdots & r_{1} & s_{2} & s_{3} & \cdots & s_{1} \end{pmatrix} = \begin{pmatrix} P & Q \\ R & S \end{pmatrix}}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 8} \right\rbrack \end{matrix}$

Here, each of P, Q, R, S is a circulant matrix of vectors, and M_(OV) is a block circulant matrix of the vectors.

B = ( b 11 b 12 ⋯ b b 21 b 22 ⋯ b ⋮ ⋮ ⋱ ⋮ b o  1 b o  2 ⋯ b oo ) = ( t 1 t 2 ⋯ t k u 1 u 2 ⋯ u k t k t 1 ⋯ t k - 1 u k u 1 ⋯ u k - 1 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋱ ⋮ t 2 t 3 ⋯ t 1 u 2 u 3 ⋯ u 1 v 1 v 2 ⋯ v k w 1 w 2 ⋯ w k v k v 1 ⋯ v k - 1 w k w 1 ⋯ w k - 1 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋱ ⋮ v 2 v 3 ⋯ v 1 w 2 w 3 ⋯ w 1 ) [ Equation   9 ]

Here, B is a block circulant matrix.

2-2. Method of Efficiently Calculating Inverse Matrix (BC⁻¹) of Given Block Circulant Matrix (BC)

A block determinant (K−PS−QR) of a given block circulant matrix

$\left( {{BC} = \begin{pmatrix} P & Q \\ R & S \end{pmatrix}} \right)$

is obtained. Since all of P, Q, R, S are circulant matrices, K is also a circulant matrix.

First, an inverse matrix (K⁻¹) of K is obtained, and an inverse matrix (BC⁻¹) of BC is obtained by calculating

$\begin{pmatrix} {K^{- 1}S} & {{- K^{- 1}}Q} \\ {{- K^{- 1}}R} & {K^{- 1}P} \end{pmatrix}.$

At this time, efficient algorithms such as the Extended Euclidean Algorithm are used to obtain the inverse matrix of K.

3. Randomization Using Structured Matrix

Embodiments of message randomization or secret key randomization to cope with various types of attacks such as a side-channel attack are as below.

-   (i) generating a first operation result by adding a matrix and a     message (or a secret key), and then, subtracting the matrix from the     first operation result, or -   (ii) generate a second operation result by multiplying a matrix and     a message (or a secret key), and then, multiplying the second     operation result by an inverse matrix of the matrix.

At this time, if the matrix is selected as a structured matrix, calculation efficiency can be increased.

3-1. Randomization Using a Circulant Matrix or a Block Circulant Matrix

Embodiments of message randomization or secret key randomization to cope with various types of attacks such as a side-channel attack are as below.

-   (i) generating a first operation result by adding a matrix and a     message (or a secret key), and then, subtracting the matrix from the     first operation result, or -   (ii) generating a second operation result by multiplying a matrix     and a message (or a secret key), and then, multiplying the second     operation result by an inverse matrix of the matrix.

At this time, if a random matrix is selected as a circulant matrix or a block circulant matrix, the calculation efficiency can be increased.

3-2. When

_(q) is a finite field with q elements, if a random matrix (R) is selected as a circulant matrix as shown in Equation 10 to randomize a secret key ({tilde over (S)}) in a product ({tilde over (S)}·h) of a vector (h) of

_(q) ^(m) and the secret key ({tilde over (S)}), the calculation efficiency can be increased.

{tilde over (S)}(H(M))=({tilde over (S)}+R)(H(M))(−R(H(M))

or

{tilde over (S)}(H(M))=({tilde over (S)}·R ⁻¹ ·R)(H(M))   [Equation 10]

Here, {tilde over (S)}=S⁻¹, and H(M) is a hash value for a message M and is expressed as H(M)=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m).

The electronic (or digital) signature algorithms based on multivariate quadratic polynomials (or equations) according to the present invention include a key generation algorithm, a signature generation algorithm, and a signature verification algorithm. The electronic signature algorithms based on multivariate quadratic polynomials are executed by an electronic apparatus (or a digital signature apparatus) or a computer program being executed in the electronic apparatus.

A computer program stored in a storage medium has a program code for performing a method for electronic signature algorithms based on a structured matrix (algorithms that protect authentication, non-repudiation, and/or integrity of a message (or data)), and the program code is executed in a computing apparatus.

The computing apparatus refers to a PC (personal computer), a server, or a mobile device, and the mobile device refers to a mobile phone, a smartphone, an Internet mobile device (MID), a laptop computer, or the like, but the present invention is not limited thereto.

FIG. 1 is a block diagram of an electronic signer based on multivariate quadratic polynomials with one layer according to embodiments of the present invention, and FIG. 2 is a flowchart for describing an operation of the electronic signer based on multivariate quadratic polynomials shown in FIG. 1. An electronic signer 100 of FIG. 1 constitutes a secret central map having one layer, executes electronic signature algorithms based on multivariate quadratic polynomials using the secret central map, and includes a key generator 110, a signature generator 120, and a signature verifier 130.

In the present specification, the electronic signer 100 or 200 may be implemented as a hardware component or a software component. When the electronic signer 100 or 200 is implemented as a hardware component, each of the components 110, 120, and 130 is implemented as a hardware component, and, when the electronic signer 100 is implemented as a software component, each of the components 110, 120, and 130 is implemented as a software component.

Key Generation Algorithm

The key generator 110 performs steps (S110 to S130) to perform the key generation algorithm for calculating a public key.

For a security parameter (λ), a pair (<PK, SK>=<

, (

, {tilde over (T)})>) of a public key (PK) and a secret key (SK) is generated as follows. The security parameter (λ) indicates a security level.

-   -   1. one affine map ({tilde over (T)}) is randomly selected         (S110). If the affine map ({tilde over (T)}) is not invertible,         a new affine map will be randomly selected again. Here, T:         _(q) ^(n)→         _(q) ^(n) and, {tilde over (T)}=T⁻¹. It is assumed that affine         maps and a secret central map (         =         , . . . ,         ^((m))) are securely stored in an apparatus (for example, a data         storage apparatus) which can be accessed by the key generator         110.     -   2. The secret central map (         =         , . . . ,         ^((m))) is selected as below (S120).

For application to electronic signature algorithms based on multivariate quadratic polynomials using a structured matrix, a configuration of a new central map according to the present invention requires two index sets (V, O) when there is one (1) layer.

:

^(n)→

_(q) ^(m), and each of n and m is a natural number.

V={1, . . . , υ}

O={υ+1, . . . , υ+o}

Here, |V|=υ, and |O|=o. V is an index set for defining Vinegar variables, and O is an index set for defining Oil variables.

In the secret central map (

=

, . . . ,

^((m))), that is, a system of multivariate quadratic polynomials having m=o equations and n=υ+m variables,

^((i)) for i=1, . . . , o will be defined as shown in Equation 11.

                              [Equation  11] $\left\{ \begin{matrix} {{\mathcal{F}^{(1)}\left( {x_{1},\cdots,x_{v + o}} \right)} = {{\mathcal{F}_{V}^{(1)}\left( {x_{i},\cdots,x_{v}} \right)} + {\mathcal{F}_{OV}^{(1)}\left( {x_{1},\cdots,x_{v + o}} \right)} + \delta_{1}}} \\ \vdots \\ {{\mathcal{F}^{(o)}\left( {x_{1},\cdots,x_{v + o}} \right)} = {{\mathcal{F}_{V}^{(o)}\left( {x_{i},\cdots,x_{v}} \right)} + {\mathcal{F}_{OV}^{(o)}\left( {x_{1},\cdots,x_{v + o}} \right)} + \delta_{o}}} \end{matrix} \right.$

_(V) ^((i)) for i=1, . . . , o will be defined as shown in Equation 12,

$\begin{matrix} {{\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ F_{OV}^{(o)} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & x_{v} \\ x_{\text{?}} & x_{1} & \cdots & x_{v - 1} \\ \vdots & \vdots & \ddots & \vdots \\ x_{\text{?} + 2} & x_{\text{?} + 3} & \cdots & x_{\text{?}1} \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ L_{\text{?}} \end{pmatrix}} + {M_{v} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ L_{\text{?}} \end{pmatrix}}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 12} \right\rbrack \end{matrix}$

Here, M_(v) is a circulant matrix or a submatrix of a circulant matrix.

_(OV) ^((i)) for i=1, . . . , o will be defined as shown in Equation 13, and

$\begin{matrix} {\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ F_{OV}^{(o)} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \cdots & {v^{T}a_{1o}} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \cdots & {v^{T}a_{2o}} \\ \vdots & \vdots & \ddots & \vdots \\ {v^{T}a_{o1}} & {v^{T}a_{o2}} & \cdots & {v^{T}a_{oo}} \end{pmatrix}\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o} \end{pmatrix}} + {B\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & a_{1o} \\ a_{21} & a_{22} & \cdots & a_{2o} \\ \vdots & \vdots & \ddots & \vdots \\ a_{o1} & a_{o2} & \cdots & a_{oo} \end{pmatrix}\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o} \end{pmatrix}} + {B\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o} \end{pmatrix}}}}} & \left\lbrack {{Equation}\mspace{14mu} 13} \right\rbrack \end{matrix}$

Here, B is the same as B in Equation 9, and M_(OV) is the same as M_(OV) in Equation 8.

${B = \begin{pmatrix} b_{11} & b_{12} & \cdots & b_{1o} \\ b_{21} & b_{22} & \cdots & b_{2o} \\ \vdots & \vdots & \ddots & \vdots \\ b_{o1} & b_{o2} & \cdots & b_{oo} \end{pmatrix}},{M_{OV} = \begin{pmatrix} a_{11} & a_{12} & \cdots & a_{1o} \\ a_{21} & a_{22} & \cdots & a_{2o} \\ \vdots & \vdots & \ddots & \vdots \\ a_{o1} & a_{o2} & \cdots & a_{\text{?}} \end{pmatrix}},{M_{OV} = {\begin{pmatrix} a_{11} & a_{12} & \cdots & a_{1o} \\ a_{21} & a_{22} & \cdots & a_{2o} \\ \vdots & \vdots & \ddots & \vdots \\ a_{o1} & a_{o2} & \cdots & a_{\text{?}} \end{pmatrix} = {\begin{pmatrix} p_{1} & p_{2} & \cdots & p_{k} & q_{1} & q_{2} & \cdots & q_{k} \\ p_{k} & p_{1} & \cdots & p_{k - 1} & q_{k} & q_{1} & \cdots & q_{k - 1} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ p_{2} & p_{3} & \cdots & p_{1} & q_{2} & q_{3} & \cdots & q_{1} \\ r_{1} & r_{2} & \cdots & r_{k} & s_{1} & s_{2} & \cdots & s_{k} \\ r_{k} & r_{1} & \cdots & r_{k - 1} & s_{k} & s_{1} & \cdots & s_{k - 1} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ r_{2} & r_{3} & \cdots & r_{1} & s_{2} & s_{3} & \cdots & s_{1} \end{pmatrix} = \begin{pmatrix} P & Q \\ R & S \end{pmatrix}}}}$ $B = {\begin{pmatrix} b_{11} & b_{12} & \cdots & b_{\text{?}} \\ b_{21} & b_{22} & \cdots & b_{\text{?}} \\ \vdots & \vdots & \ddots & \vdots \\ b_{o1} & b_{o2} & \cdots & b_{oo} \end{pmatrix} = \begin{pmatrix} t_{1} & t_{2} & \cdots & t_{k} & u_{1} & u_{2} & \cdots & u_{k} \\ t_{k} & t_{1} & \cdots & t_{k - 1} & u_{k} & u_{1} & \cdots & u_{k - 1} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ t_{2} & t_{3} & \cdots & t_{1} & u_{2} & u_{3} & \cdots & u_{1} \\ v_{1} & v_{2} & \cdots & v_{k} & w_{1} & w_{2} & \cdots & w_{k} \\ v_{k} & v_{1} & \cdots & v_{k - 1} & w_{k} & w_{1} & \cdots & w_{k - 1} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ v_{2} & v_{3} & \cdots & v_{1} & w_{2} & w_{3} & \cdots & w_{1} \end{pmatrix}}$ ?indicates text missing or illegible when filed

A constant term (δ_(i)) is randomly selected in the finite field (

_(q)).

-   -   3. A public key (         =         ∘T) is calculated (S130). Here, a circle means a composition,         the public key (         =         ∘T) is required for signature verification, and a secret key         (SK=(         , {tilde over (T)}) is required for signature generation.

Signature Generation Algorithm

A signature generator 120 performs steps (S140 to S160) to perform the signature generation algorithm, that is, how to invert a new central map according to the present invention.

The signature generator 120 receives an affine map {tilde over (T)}, a secret central map

, and a message M. The message M refers to a message to be transmitted via a communication medium (for example, wired or wireless) as plain text.

-   -   1. A hash message (H(M)=ξ) for the message M is calculated         (S140). Here,         H:{0, 1}*→         _(q) ^(m) is a collision resistant hash function.         H(M)=ξ=(ξ₁, . . . , ξ_(m))∈         _(q) ^(m) is calculated.     -   2. When ο=(ξ₁, . . . , ξ_(m)) is given, processes of finding         ⁻¹(ξ)=s, that is, a solution s=(s₁, . . . , s_(n)) of         (x)=ξ are as below (S150).

A vector of random values s_(v)=(s₁, . . . , s_(υ))∈

_(q) ^(υ) is selected. The vector (s_(v)) is plugged into

_(V) ^((i)) for i=1, . . . , m to calculate a product of a o×υ submatrix of a υ×υ circulant matrix and a transpose of a vector ((L₁(s_(υ)), . . . , L_(υ)(s_(υ)))), and, as a result, (c₁, . . . , c_(o)) is obtained. At this time, the o×υ submatrix is M_(V) in Equation 3.

If the vector (s_(v)) is plugged into

_(OV) ^((i)) for i=1, . . . , m to obtain a system of O linear equations having O variables (χ_(υ+1), . . . , χ_(n)), a form of the coefficient matrix is a block circulant matrix (BC).

Here, the block circulant matrix (BC) is a matrix obtained by multiplying a matrix that is obtained by plugging the vector (s_(v)) into a matrix composed of v^(T) in Equation 13 by M_(OV).

A solution (s_(υ+1), . . . , s_(n)), is obtained by multiplying the inverse matrix (BC⁻¹) obtained by the method defined in 2-2 described above by a transpose of (ξ₁−c₁−δ₁, . . . , ξ_(o)−c_(o)−δ_(o)). Accordingly, a vector s=(s₁, . . . , s_(n)) is a solution of

(x)=ξ.

If there is no inverse matrix BC⁻¹ of the block circulant matrix BC, the procedure returns to a beginning of the signature generation algorithm to select a vector of new random values s_(v)′=(s′₁, . . . , s′_(υ)) and performs the methods (or processes) described above again.

-   -   3. {tilde over (T)}(s)=σ is calculated (S160). σ refers to a         signature of the message M (here, the signature means a digital         signature or an electronic signature).

Signature Verification or Verification Algorithm

The signature verifier 130 performs a step (S170) to perform a signature verification or verification algorithm. If the signature verifier 130 receives one of the public key

and a certificate including the public key

, the message M, and the signature σ from the signature generator 120, that is, if the public key

and the signature σ for the message M are given, the signature verifier 130 checks whether P(σ)=H(M). If P(σ)=H(M), the signature σ is accepted, and otherwise, the signature σ is rejected.

FIG. 3 is a block diagram of an electronic signer based on multivariate quadratic polynomials with two layers according to embodiments of the present invention. FIG. 4 is a flowchart for describing an operation of the electronic signer based on multivariate quadratic polynomials shown in FIG. 3. The electronic signer 200 of FIG. 3 constitutes and processes a secret central map with two layers.

The key generator 210 performs step (S210) to perform the key generation algorithm for calculating a secret key and a public key.

Key Generation Algorithm:

For the security parameter (λ), a pair (<PK, SK>=<

, ({tilde over (S)},

, {tilde over (T)})>) of a public key (PK) and a secret (SK) is generated as follows. The security parameter (λ) represents a security level.

-   -   1. Two affine maps {tilde over (S)} and {tilde over (T)} are         randomly selected (S210). If {tilde over (S)} and {tilde over         (T)} are not invertible, two (new) affine maps {tilde over (S)}         and {tilde over (T)} are randomly selected again. Here, S:         _(q) ^(m)→         _(q) ^(m) and {tilde over (S)}=S⁻¹, and T:         _(q) ^(n)→         _(q) ^(n) and, {tilde over (T)}=T⁻¹. Affine maps including the         affine maps {tilde over (S)} and {tilde over (T)} and the secret         central map (         =         , . . . ,         ^((m)) can be securely stored in an apparatus which can be         accessed by the key generator 210.     -   2. The secret central map         =         , . . . ,         ^((m)) is selected as below (S220).

For application to electronic signature algorithms based on multivariate quadratic polynomials using a structured matrix, a configuration of a new central map according to the present invention requires two index sets (V, O₁, and O₂) when there are two layers.

V={1, . . . , υ},

O ₁={υ+1, . . . , υ+o ₁},

O ₂ ={υ+o ₁+1, . . . , υ+o ₁ +o ₂}

Here, |V|=υ, and |O_(i)|=o_(i) for i=1, 2. V is an index set for defining Vinegar variables, and O₁ and O₂ are index sets for defining Oil variables.

In the secret central map

=

, . . . ,

^((m)), that is, a system of quadratic polynomials having m=o₁+o₂ (here, each of O₁ and O₂ and is a natural number) polynomials and n=υ+m variables,

^((i)) for i=1, . . . , o₁ will be defined as shown in Equation 14.

$\begin{matrix} \left\{ \begin{matrix} {{{\mathcal{F}^{(1)}\left( {x_{1},\cdots,x_{v + o}} \right)} = {{\mathcal{F}_{v}^{(1)}\left( {x_{i},\cdots,x_{v}} \right)} + {\mathcal{F}_{OV}^{(1)}\left( {x_{1},\cdots,x_{v + o_{1}}} \right)} + \delta_{1}}},} \\ \vdots \\ {{\mathcal{F}^{(o_{1})}\left( {x_{1},\cdots,x_{v + o_{1}}} \right)} = {{\mathcal{F}_{v}^{(o_{1})}\left( {x_{i},\cdots,x_{v}} \right)} + {\mathcal{F}_{OV}^{(o_{1})}\left( {x_{1},\cdots,x_{v + o_{1}}} \right)} + \delta_{o_{1}}}} \end{matrix} \right. & \left\lbrack {{Equation}\mspace{14mu} 14} \right\rbrack \end{matrix}$

Here,

_(V) ^((i)) is defined as shown in Equation 2 and

_(OV) ^((i)) is defined as shown in Equation 4. At this time, when O is replaced with O₁ (o₁=2k, here, k₁ is a natural number) as in 1-2 described above, Equation 3 becomes Equation 15, Equation 6 becomes Equation 16, and Equations 8 and 9 become Equation 17.

( ℱ V ( 1 ) ℱ V ( 2 ) ⋮ F V ( o 1 ) ) = ( x 1 x 2 ⋯ x v x x 1 ⋯ x v - 1 ⋯ ⋯ ⋯ ⋯ x - o 1 + 2 x - o 1 + 3 ⋯ x - o 1 + 1 ) · ( L 1 L 2 ⋯ L ) + M v 1 · ( L 1 L 2 ⋯ L ) [ Equation   15 ]

Here, M_(V) ¹ is a circulant matrix or a submatrix of a circulant matrix, and

_(OV) ^((i)) for i=1, . . . , o₁ is as shown in Equation 16.

$\begin{matrix} {\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ F_{OV}^{(o_{1})} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \cdots & {v^{T}a_{1o_{1}}} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \cdots & {v^{T}a_{2o_{1}}} \\ \vdots & \vdots & \ddots & \vdots \\ {v^{T}a_{o_{1}1}} & {v^{T}a_{o_{1}2}} & \cdots & {v^{T}a_{o_{1}o_{1}}} \end{pmatrix}\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o_{1}} \end{pmatrix}} + {B_{1}\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o_{1}} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & a_{1o_{1}} \\ a_{21} & a_{22} & \cdots & a_{2o_{1}} \\ \vdots & \vdots & \ddots & \vdots \\ a_{o1} & a_{o2} & \cdots & {a_{o_{1}o}}_{1} \end{pmatrix}\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o_{1}} \end{pmatrix}} + {B_{1}\begin{pmatrix} x_{v + 1} \\ x_{v + 2} \\ \vdots \\ x_{v + o_{1}} \end{pmatrix}}}}} & \left\lbrack {{Equation}\mspace{14mu} 16} \right\rbrack \end{matrix}$

Here,

v ^(T)=[χ₁χ₂ . . . χ_(υ)],

M OV , 1 = ( a 11 a 12 ⋯ a a 21 a 22 ⋯ a ⋮ ⋮ ⋱ ⋮ a o 1  1 a o 1  2 ⋯ a ) , and B 1 = ( b 11 b 12 ⋯ b b 21 b 22 ⋯ b ⋮ ⋮ ⋱ ⋮ b o 1  1 b o 1  2 ⋯ b ) .

Here, M_(OV,1) is a block circulant matrix whose elements are column vectors a_(ij) each having a size υ, and B₁ is a block circulant matrix.

The block circulant matrix M_(OV,1) of the vectors and the block circulant matrix B₁ are as shown in Equation 17.

M OV 1 = ( a 11 a 12 ⋯ a 1  o 1 a 21 a 22 ⋯ a 2  o 1 ⋮ ⋮ ⋱ ⋮ a o 1  1 a o 1  2 ⋯ a ) = ( p 1 p 2 ⋯ p k q 1 q 2 ⋯ q k 1 p k 1 p 1 ⋯ p k 1 - 1 q k 1 q 1 ⋯ q k 1 - 1 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋱ ⋮ p 2 p 3 ⋯ p 1 q 2 q 3 ⋯ q 1 r 1 r 2 ⋯ r k 1 s 1 s 2 ⋯ s k 1 r k 1 r 1 ⋯ r k 1 - 1 s k 1 s 1 ⋯ s k 1 - 1 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋱ ⋮ r 2 r 3 ⋯ r 1 s 2 s 3 ⋯ s 1 ) = ( P 1 Q 1 R 1 S 1 )   B 1 = ( b 11 b 12 ⋯ b b 21 b 22 ⋯ b ( ) 1 ⋮ ⋮ ⋱ ⋮ b o 1  1 b o 1  2 ⋯ b o 1  o 1 ) = ( t 1 t 2 ⋯ t k 1 u 1 u 2 ⋯ u k 1 t k 1 t 1 ⋯ t k 1 - 1 u k 1 u 1 ⋯ u k 1 - 1 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋱ ⋮ t 2 t 3 ⋯ t 1 u 2 u 3 ⋯ u 1 v 1 v 2 ⋯ v k 1 w 1 w 2 ⋯ w k 1 v k 1 v 1 ⋯ v k 1 - 1 w k 1 w 1 ⋯ w k 1 - 1 ⋮ ⋮ ⋱ ⋮ ⋮ ⋮ ⋱ ⋮ v 2 v 3 ⋯ v 1 w 2 w 3 ⋯ w 1 ) [ Equation   17 ]

Here, P₁, Q₁, R₁, S₁ are circulant matrices of vectors, and M_(OV,1) is a block circulant matrix of vectors.

At last, a constant term δ_(i) is randomly selected in the finite field

_(q).

^((i)) for i=o₁+1, . . . , m will be defined as shown in Equation 18.

                                  [Equation  18] $\left\{ \begin{matrix} {{{\mathcal{F}^{({o_{i} + 1})}\left( {x_{1},\cdots,x_{n}} \right)} = {{\mathcal{F}_{V}^{({o_{i} + 1})}\left( {x_{i},\cdots,x_{v + o_{1}}} \right)} + {\mathcal{F}_{OV}^{({o_{i} + 1})}\left( {x_{1},\cdots,x_{n}} \right)} + \delta_{01} + 1}},} \\ \vdots \\ {{{\mathcal{F}^{(m)}\left( {x_{1},\cdots,x_{n}} \right)} = {{\mathcal{F}_{V}^{({o_{i} + o_{2}})}\left( {x_{i},\cdots,x_{v + o_{1}}} \right)} + {\mathcal{F}_{OV}^{(m)}\left( {x_{1},\cdots,x_{n}} \right)} + \delta_{m}}},} \end{matrix} \right.$

Here,

_(V) ^((i)) is defined as shown in Equation 2. At this time, if L_(i) of 1-1 described above is replaced with L′_(i) and υ is replaced with υ+o₁,

_(V) ^((i)) is as shown in Equation 19.

$\begin{matrix} {\mspace{79mu} {{\mathcal{F}_{V}^{\text{?}} = {{x_{1} \cdot L_{1}^{\prime}} + {\alpha_{2}L_{2}^{\prime}} + \cdots + {x_{\text{?}}L_{v + 01}^{\prime}}}},\mspace{79mu} {\mathcal{F}_{V}^{\text{?}} = {{x_{\text{?}} \cdot L_{1}^{\prime}} + {\text{?}_{1}L_{2}^{\prime}} + \cdots + {x_{v + o_{1 - 1}}L_{\text{?} + 01}^{\prime}}}},\mspace{79mu} \cdots,{\mathcal{F}_{V}^{\text{?}} = {{x_{v + \text{?} + 2} \cdot L_{1}^{\prime}} + {x_{\text{?} + o_{1} - o_{2} + 3}L_{2}^{\prime}} + \cdots + {x_{v + o_{1} - o_{2} + 1}L_{v + 01}^{\prime}}}},{\text{?}\text{indicates text missing or illegible when filed}}}} & \left\lbrack {{Equation}\mspace{14mu} 19} \right\rbrack \end{matrix}$

_(OV) ^((i)) is defined as shown in Equation 4. At this time, if υ described in 1-2 is replaced with υ+o₁ and O is replaced with O₂ (o₂=2k₂, here, k₂ is a natural number), Equation 3 becomes Equation 20, Equation 6 becomes Equation 21, and Equations 8 and 9 become Equation 22.

$\begin{matrix} \; & \left\lbrack {{Equation}\mspace{14mu} 20} \right\rbrack \\ {\mspace{85mu} {{\begin{pmatrix} \text{?} \\ \text{?} \\ \cdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \text{?} & x_{1} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V}^{2} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}}}}{\text{?}\text{indicates text missing or illegible when filed}}}} & \; \end{matrix}$

Here, M_(V) ² is a circulant matrix or a submatrix of a circulant matrix, and

_(OV) ^((i)) for i=o₁+1, . . . , o₁+o₂ will be defined as shown in Equation 21.

$\begin{matrix} {{\begin{pmatrix} \mathcal{F}_{OV}^{({o_{1} + 1})} \\ \mathcal{F}_{OV}^{({o_{1} + 2})} \\ \vdots \\ \mathcal{F}_{OV}^{({o_{1} + o_{2}})} \end{pmatrix} = {{{\begin{pmatrix} {v^{\prime \; T}{a^{\prime}}_{11}} & {v^{\prime \; T}{a^{\prime}}_{12}} & \cdots & \text{?} \\ {v^{\prime \; T}{a^{\prime}}_{21}} & {v^{\prime \; T}{a^{\prime}}_{22}} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{\prime \; T} & 0 & \cdots & 0 \\ 0 & v^{\prime \; T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{\prime \; T} \end{pmatrix}\begin{pmatrix} a_{11}^{\prime} & a_{12}^{\prime} & \cdots & \text{?} \\ a_{21}^{\prime} & a_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & a_{11}^{\prime} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 21} \right\rbrack \end{matrix}$

Here,

$\mspace{79mu} {v^{\prime \; T} = \left\lbrack {{{\begin{matrix} x_{1} & x_{2} & \cdots & {\left. \text{?} \right\rbrack,} \end{matrix}\mspace{79mu} M_{{OV},2}} = \begin{pmatrix} a_{11}^{\prime} & a_{21}^{\prime} & \cdots & \text{?} \\ a_{21}^{\prime} & a_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}},\; {{{and}\mspace{14mu} B_{2}} = {{\begin{pmatrix} b_{11}^{\prime} & b_{21}^{\prime} & \cdots & \text{?} \\ b_{21}^{\prime} & b_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}.\text{?}}\text{indicates text missing or illegible when filed}}}} \right.}$

Here, M_(OV,2) is a block circulant matrix whose elements are column vectors a′_(ij) each having a size υ, and B₂ is a block circulant matrix.

The block circulant matrix M_(OV,2) of vectors and the block circulant matrix B₂ are as shown in Equation 22.

$\begin{matrix} {{M_{{OV},2} = {\begin{pmatrix} a_{11}^{\prime} & a_{21}^{\prime} & \cdots & \text{?} \\ a_{21}^{\prime} & a_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = {\begin{pmatrix} p_{1}^{\prime} & p_{2}^{\prime} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} P_{2} & Q_{2} \\ R_{2} & S_{2} \end{pmatrix}}}}{B_{2} = {\begin{pmatrix} b_{11}^{\prime} & b_{21}^{\prime} & \cdots & \text{?} \\ b_{21}^{\prime} & b_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} t_{1}^{\prime} & t_{2}^{\prime} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 22} \right\rbrack \end{matrix}$

Here, p′_(i), q′_(i), s′_(i), r′_(i) are column vectors each having the size υ, each of P₂, Q₂, R₂, S₂ is a circulant matrix of vectors, and M_(OV,2) is a block circulant matrix of vectors.

At last, a constant term δ_(i) is randomly selected in the finite field

_(q).

-   -   3. A public key         =S∘         ∘T is calculated (S230).

Signature Generation Algorithm

The signature generator 220 performs steps (S240 to S260) to perform the signature generation algorithm, that is, how to invert a new central map according to the present invention. The signature generator 220 receives the affine maps {tilde over (S)} and {tilde over (T)}, the secret central map

, and the message M.

-   -   1. A hash message H(M) for the message M is calculated (S240).

Here, H:{0, 1}*→

_(q) ^(m) is a collision resistant hash function.

-   -   2. {tilde over (S)}(H(M))=ξ=(ξ₁, . . . , ξ_(m))∈         _(q) ^(m) is calculated (S240). If a random matrix R, that is, a         circulant matrix, is given (or provided), as described in 3-2,         {tilde over (S)}(H(M)) is calculated according to Equation 10.     -   3. When ξ=(ξ₁, . . . , ξ_(m)) is given, processes of finding         ⁻¹(ξ)=s, that is, solutions s=(s₁, . . . , s_(n)) of         (x)=ξ, are as below (S250).

In a first layer,

a random vector s_(V)=(s₁, . . . , s_(υ))∈

_(q) ^(υ) is randomly selected.

The vector (s_(v)) is plugged into the first layer

_(V) ^((i)) for i=1, . . . , o₁ to calculate a product of a o₁×υ submatrix of a υ×υ circulant matrix and the transpose of a vector (L₁(s_(υ)), . . . , L_(υ)(s_(υ))), and, as a result, (c₁, . . . , c_(o) ₁ ) is obtained. At this time, the o₁×υ submatrix into which the vector s_(v) is plugged is M_(V) ¹.

The vector s_(v) is plugged into

_(OV) ^((i)) for i=1, . . . , o₁ to obtain a system of linear equations of O₁ equations having O₁ variables. At this time, a coefficient matrix of the system of linear equations is a block circulant matrix BC₁.

Here, the block circulant matrix BC₁ is a matrix obtained by multiplying a matrix that is obtained by plugging the vector s_(v) into a matrix composed of v^(T) in Equation 13 by M_(OV,1).

A solution s_(υ+1), . . . , s_(υ+o) ₁ is obtained by multiplying the transpose of (ξ₁−c₁−δ₁, . . . , ξ_(o) ₁ −c_(o) ₁ −δ_(o) ₁ ) by the inverse matrix BC₁ ⁻¹ obtained by the method defined in 2-2 described above.

In a second layer,

a vector s_(υ+o) ₁ =(s₁, . . . , s_(υ+o) ₁ ) is plugged into the second layer

_(V) ^((i)) for i=o₁+1, . . . , m to calculate a product of a o₂×(υ+o₁) submatrix of a (υ+o₁)×(υ+o₁) circulant matrix and a transpose of a vector (L′₁(s_(υ+o) ₁ ), . . . , L′_(υ+o) ₁ (s_(υ+o) ₁ )), and, as a result (c_(o) ₁ ₁, . . . , c_(m)), is obtained.

At this time, the o₂×(υ+o₁) submatrix into which the vector (s_(υ+o) ₁ ) is plugged is M_(V) ².

The vector (s_(υ+o) ₁ ) is plugged into

_(OV) ^((i)) for i=o₁+1, . . . , m to obtain a system of linear equations of o₂ equations having o₂ variables. At this time, a coefficient matrix of the system of linear equations is a block circulant matrix BC₂.

Here, the block circulant matrix BC₂ is a matrix obtained by multiplying a matrix that is obtained by plugging the vector S_(υ+o) ₁ into a matrix composed of v^(T) in Equation 21 by M_(OV,2).

A solution (s_(υ+o) ₁ ₊₁, . . . , s_(υ+m)) is obtained by multiplying the transpose of (ξ_(o) ₁ ₊₁−c_(o) ₁ ₊₁−δ_(o) ₁ ₊₁, . . . , ξ_(m)−c_(m)−δ_(m)) by the inverse matrix BC₂ ⁻¹ obtained by the method defined in 2-2 described above. Then, a vector s=(s₁, . . . , s_(n)) is a solution of

(x)=ξ.

If there is no inverse matrix BC₁ ⁻¹ of the block circulant matrix BC₁ or there is no inverse matrix BC₂ ⁻¹ of the block circulant matrix BC₂, the procedure returns to a beginning of the electronic signature algorithm to select a vector s_(v)′=(s′₁, . . . , s′_(υ)) of new random values, and performs the methods (or processes) described above again.

-   -   4. {tilde over (T)}(s)=σ is calculated (S260). σ refers to a         signature of the message M (here, the signature is a digital         signature or an electronic signature).

Signature Verification or Verification Step:

If the signature verifier 230 receives the message M, the signature σ, and the public key

, that is, if the public key

and the signature σ for the message M are given, the signature verifier 230 checks whether P(σ)=H(M) (S270). If P(σ)=H(M), the signature σ is accepted, and otherwise, the signature σ is rejected.

A method, an apparatus (or a device), or a computer program for performing an electronic signature algorithm based on multivariate quadratic polynomials according to the embodiment of the present invention can greatly reduce a length of a secret key by using structured matrices, and generate signatures quickly by increasing calculation efficiency.

Although the present invention has been described with reference to the embodiment shown in the drawings, this is merely exemplary, and it will be understood by those skilled in the art that various modifications and equivalent other embodiments thereof can be made. Therefore, a true technical protection scope of the present invention will be defined by a technical spirit of the appended claims. 

What is claimed is:
 1. A method of generating a public key and a secret key using a key generator comprising: acquiring an affine map {tilde over (T)} and a map (

:

^(n)→

_(q) ^(m)); and generating a public key (

=

∘T) and a secret key (

, {tilde over (T)}) and a secret key using the affine map and the map, wherein the map (

:

^(n)→

_(q) ^(m)) is expressed as a system (

_(V) ⁽¹⁾, . . . ,

_(V) ^((o))) of O multivariate quadratic polynomials, the system (

_(V) ⁽¹⁾, . . . ,

_(V) ^((o))) of O multivariate quadratic polynomials is expressed as below when υ linear polynomials (L₁, . . . , L_(υ)) and υ variables (χ₁, . . . , χ_(υ)) defined on a finite field

_(q) are given, $\mspace{79mu} {{\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \cdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ wherein, T:

_(q) ^(n)→

_(q) ^(n), {tilde over (T)}=T⁻¹, M_(V) is a structured matrix or a submatrix of a structured matrix, m=o, V={1, . . . , υ}, O={υ+1, . . . , υ+o}, |V|=υ, |O|=o, V is an index set for defining Vinegar variables, and O is an index set for defining Oil variables.
 2. The method of claim 1, wherein, when the system (

_(V) ⁽¹⁾, . . . ,

_(V) ^((o))) of O multivariate quadratic polynomials is expressed as below $\mspace{85mu} {{\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \cdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ M_(V) herein is a circulant matrix or a submatrix of a circulant matrix.
 3. A computer program which is stored in a storage medium to perform the method of generating a public key and a secret key of claim
 1. 4. An electronic signer comprising the key generator configured to perform the method of generating a public key and a secret key of claim 1, wherein the electronic signer further comprises: a signature generator configured to generate an electronic signature σ of a message M using the affine map {tilde over (T)}, the map

, and the message M; and a signature verifier configured to verify the electronic signature σ using the message M, the electronic signature σ, and the public key (

=

∘T), wherein the signature generator configured to calculate a hash message (H(M)=ξ) for the message M, and calculate a solution (s=(s₁, . . . , s_(n))) of

(x)=ξ using

⁻¹(ξ)=s when ξ=(ξ₁, . . . , ξ_(m)) is given, and calculates {tilde over (T)}(s)=σ, signature verifier determines whether P(σ)=H(M) and verify the electronic signature σ according to a result of the determination, H:{0,1}*→

_(q) ^(m), and H(M)=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m).
 5. A method of generating a public key and a secret key using a key generator comprising: acquiring an affine map {tilde over (T)} and a map (

:

^(n)→

_(q) ^(m)); and generating a public key (

=

∘T) and a secret key (

, {tilde over (T)}) using the affine map and the map, wherein the map (

:

^(n)→

_(q) ^(m)) is expressed as a system (

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o))) of O multivariate quadratic polynomials, the system (

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o))) of O multivariate quadratic polynomials is expressed as below when υ variables (χ₁, . . . , χ_(υ)) and O variables (χ_(υ+1), χ_(υ+2), . . . , χ_(υ+o)) defined on a finite field (

_(q)) are given $\begin{matrix} {{\begin{pmatrix} \mathcal{F}_{OV}^{({o_{1} + 1})} \\ \mathcal{F}_{OV}^{({o_{1} + 2})} \\ \vdots \\ \mathcal{F}_{OV}^{({o_{1} + o_{2}})} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{\; T}a_{12}} & \cdots & \text{?} \\ {v^{T}a_{21}} & {v^{\; T}a_{22}} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{\; T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & a_{11} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}},{\text{?}\text{indicates text missing or illegible when filed}}} & \left\lbrack {{Equation}\mspace{14mu} 21} \right\rbrack \end{matrix}$ wherein, $\mspace{79mu} {{B = \begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}},{M_{OV} = \begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}},\mspace{79mu} {v^{T} = \left\lbrack {\begin{matrix} x_{1} & x_{2} & \cdots & {\left. x_{v} \right\rbrack,} \end{matrix}\text{?}\text{indicates text missing or illegible when filed}} \right.}}$ T:

_(q) ^(n)→

_(q) ^(n), {tilde over (T)}=T⁻¹, and, when each column vector a_(ij) is regarded as an element of one matrix, each column vector a_(ij) is selected such that M_(OV) is a structured matrix and element values of b_(ij) are selected such that B is also a structured matrix of the same form as M_(OV).
 6. The method of claim 5, when o(=2k) is an even number, M_(OV) is a block circulant matrix of vectors when M_(OV) is expressed as below, $M_{OV} = {\begin{pmatrix} a_{11} & a_{21} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = {\begin{pmatrix} p_{1} & p_{2} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} P & Q \\ R & S \end{pmatrix}}}$ ?indicates text missing or illegible when filed each of p_(i), q_(i), s_(i), r_(i) is a column vector having a size υ, each of P, Q, R, S is a circulant matrix of vectors, and B is a block circulant matrix when B is expressed as below $B = {\begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = {{\begin{pmatrix} t_{1} & t_{2} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}.\text{?}}\text{indicates text missing or illegible when filed}}}$
 7. A computer program that is stored in a storage medium for performing the method of generating a public key and a secret key of claim
 5. 8. An electronic signer, comprising the key generator configured to perform the method of generating a public key and a secret key of claim 5, wherein the electronic signer further comprises: a signature generator configured to generate an electronic signature σ of a message M using the affine map {tilde over (T)}, the map

, and the message M; and a signature verifier configured to verify the electronic signature σ using the message M, the electronic signature σ, and the public key (

=

∘T), wherein the signature generator configured to calculate a hash message H(M)=ξ for the message M, calculate a solution (s=(s₁, . . . , s_(n)) of

(x)=ξ using

⁻¹(ξ)=s when ξ=(ξ₁, . . . , ξ_(m)) is given, and calculates {tilde over (T)}(s)=σ, the signature verifier determines whether P(σ)=H(M) and verify the electronic signature σ according to a result of the determination, H:{0,1}*→

_(q) ^(m), and H(M)=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m).
 9. A method of generating a public key and a secret key using a key generator comprising: acquiring a first affine map {tilde over (S)}, a second affine map {tilde over (T)}, and a map (

:

^(n)→

_(q) ^(m)); and generating a public key

=S∘

∘T and a secret key ({tilde over (S)},

, {tilde over (T)}) using the first affine map, the second affine map, and the map, wherein, the map (

:

^(n)→

_(q) ^(m)) is expressed as a system (

=

, . . . ,

^((m))) of multivariate quadratic polynomials having m=o₁+o₂ polynomials and n=υ+m variables,

^((i)) for i=1, . . . , o₁ is expressed as below, $\mspace{79mu} \left\{ {\begin{matrix} {{{\text{?}\left( {\text{?},\ldots \mspace{14mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}},} \\ {{\text{?}\left( {\text{?},\ldots \mspace{14mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}} \end{matrix}\text{?}\text{indicates text missing or illegible when filed}} \right.$

_(V) ^((i)) for i=1, . . . , o₁ is expressed as below when υ linear equations (L₁, . . . , L_(υ)) and υ variables (χ₁, . . . , χ_(υ)) defined on a finite field

_(q) are given $\mspace{79mu} {{\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ wherein, M_(V) ¹ is a structured matrix or a submatrix of a structured matrix,

^((i)) for i=o₁+1, . . . , m is expressed as below, $\mspace{79mu} \left\{ {\begin{matrix} {{\text{?}\left( {\text{?},\ldots \mspace{14mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}} \\ {{\text{?}\left( {\text{?},\ldots \mspace{14mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}} \end{matrix},{\text{?}\text{indicates text missing or illegible when filed}}} \right.$

_(V) ^((i)) for i=o₁+1, . . . , m is expressed as below when linear equations (L′₁, . . . , L′_(υ+o) ₁ ) with υ+o₁ variables and υ+o₁ variables and ‘ ’ variables are given $\mspace{79mu} {{\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \\ \cdots & \cdots & \cdots & \cdots \end{pmatrix} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V}^{2} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ wherein, M_(V) ² is a structured matrix or a submatrix of a structured matrix, m=o ₁ +o ₂, S:

_(q) ^(m)→

_(q) ^(m) , T:

_(q) ^(n)→

_(q) ^(n) , {tilde over (S)}=S ⁻¹ , {tilde over (T)}=T ⁻¹, V={1, . . . , υ}, O ₁={υ+1, . . . , υ+o ₁}, O ₂ ={υ+o ₁+1, . . . , υ+o ₁ +o ₂}, which |V|=υ, i=|O_(i)|=o_(i) for 1 and 2, V is an index set for defining Vinegar variables, and O₁ and O₂ are index sets for defining Oil variables.
 10. The method of claim 9, wherein, when the map (

:

^(n)→

_(q) ^(m)) is expressed as a system (

=

, . . . ,

^((m))) of multivariate quadratic polynomials having m=o₁+o₂ polynomials and n=υ+m variables,

_(V) ^((i)) for i=1, . . . , o₁ is expressed as below $\mspace{79mu} {{\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \text{?} & x_{1} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V}^{1} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ wherein, M_(V) ¹ is a circulant matrix or a submatrix of a circulant matrix,

^((i)) for i=o₁+1, . . . , m is expressed as below $\mspace{79mu} \left\{ {\begin{matrix} {\left. \text{?} \right) + \text{?}} \\ \text{?} \end{matrix},{\text{?}\text{indicates text missing or illegible when filed}}} \right.$

_(V) ^((i)) for i=o₁+1, . . . , m is expressed as below $\mspace{79mu} {{\begin{pmatrix} \text{?} \\ \text{?} \\ \cdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\text{?}\begin{pmatrix} \text{?} \\ \text{?} \\ \cdots \\ \text{?} \end{pmatrix}} = {M_{V}^{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ wherein, M_(V) ² is a circulant matrix or a submatrix of a circulant matrix.
 11. A computer program that is stored in a storage medium for performing the method of generating a public key and a secret key of claim
 9. 12. An electronic signer comprising the key generator configured to perform the method of generating a public key and a secret key of claim 9, wherein the electronic signer further comprises: a signature generator configured to generate an electronic signature σ of a message M using the first affine map ({tilde over (S)}), the second affine map ({tilde over (T)}), the map (

), and the message M; and a signature verifier configured to verify the electronic signature σ using the message M, the electronic signature σ, and the public key (

=S∘

∘T), wherein the signature generator configured to calculate a hash message H(M) for the message M, calculate {tilde over (S)}(H(M))=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m), calculate a solution (s=(s₁, . . , s_(n))) of

(x)=ξ using

⁻¹(ξ)=s when ξ=(ξ₁, . . . , ξ_(m)) is given, and calculate {tilde over (T)}(s)=σ, the signature verifier configured to determine whether P(σ)=H(M) and verify the electronic signature σ according to a result of the determination, and H:{0, 1}*→

_(q) ^(m).
 13. The electronic signer of claim 12, wherein, when a matrix R given for randomization of the first affine map {tilde over (S)} in a product {tilde over (S)}·h of a vector h of

_(q) ^(m) and the first affine map {tilde over (S)} is a circulant matrix, the signature generator calculates {tilde over (S)}(H(M)) using an equation below {tilde over (S)}(H(M))=({tilde over (S)}+R)(H(M))−R(H(M)).
 14. The electronic signer of claim 12, wherein, when the matrix R given for the randomization of the first affine map {tilde over (S)} in the product {tilde over (S)}·h of the vector h of

_(q) ^(m) and the first affine map {tilde over (S)} is a circulant matrix, the signature generator calculates {tilde over (S)}(H(M)) using an equation below {tilde over (S)}(H(M))=({tilde over (S)}·R ⁻¹ ·R)(H(M)).
 15. A method of generating a public key and a secret key using a key generator comprising: acquiring a first affine map ({tilde over (S)}), a second affine map ({tilde over (T)}), and a map (

:

^(n)→

_(q) ^(m)); and generating a public key (

=S∘

∘T) and a secret key ({tilde over (S)},

, {tilde over (T)}) using the first affine map, the second affine map, and the map, wherein the map (

:

^(n)→

_(q) ^(m)) is expressed as a system (

=

, . . . ,

^((m))) of m=o₁+o₂ multivariate quadratic polynomials, a system (

_(OV) ⁽¹⁾, . . . ,

_(OV) ^((o) ¹ ⁾) of the O₁ multivariate quadratic polynomials is expressed as below when υ variables (χ₁, . . . , χ_(υ)) and O₁ variables (χ_(υ+1), χ_(υ+2), . . . , χ_(υ+o) ₁ ) defined on a finite field

_(q) are given ${\begin{pmatrix} \mathcal{F}_{OV}^{(1)} \\ \mathcal{F}_{OV}^{(2)} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} {v^{T}a_{11}} & {v^{T}a_{12}} & \cdots & \text{?} \\ {v^{T}a_{21}} & {v^{T}a_{22}} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}},{\text{?}\text{indicates text missing or illegible when filed}}$ wherein $\mspace{79mu} {M_{{OV},1} = {\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\mspace{14mu} {and}\mspace{14mu} {B_{1}\begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}}$ ?indicates text missing or illegible when filed are given, v ^(T)=[χ₁χ₂ . . . χ_(υ)], each column vector a_(ij) is selected such that M_(OV,1) is a structured matrix and element values of b_(ij) are selected such that B₁ is also a structure matrix of the same form as M_(OV,1), when each column vector a_(ij) is regarded as elements of one matrix, and

_(OV) ^((i)) for i=o₁+1, . . . , m is given as below, $\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \square & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}$ ?indicates text missing or illegible when filed wherein, $\mspace{79mu} {M_{{OV},2} = {\begin{pmatrix} a_{11}^{\prime} & a_{12}^{\prime} & \cdots & \text{?} \\ a_{21}^{\prime} & a_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\mspace{14mu} {and}\mspace{14mu} {B_{2}\begin{pmatrix} b_{11}^{\prime} & b_{12}^{\prime} & \cdots & \text{?} \\ b_{21}^{\prime} & b_{22}^{\prime} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}}$ ?indicates text missing or illegible when filed are given, v′ ^(T)=[χ₁χ₂ . . . χ_(υ+o) ₁ ], each column vector a′^(ij) is selected such that M_(OV,2) is a structured matrix and element values of b′_(ij) are selected such that B₂ is also a structured matrix of the same form as M_(OV,2), when each column vector (a′_(ij)) is regarded as an element of one matrix, S:

_(q) ^(m)→

_(q) ^(m), T:

_(q) ^(n)→

_(q) ^(n), {tilde over (S)}=S⁻¹, and {tilde over (T)}=T⁻¹.
 16. The method of claim 15, wherein, when o₁=2k₁ and o₂=2k₂ are given, F_(OV) ^((i)) for i=1, . . . , o₁ is expressed as below $\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ a_{21} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{1}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}$ ?indicates text missing or illegible when filed wherein, ${\text{?} = {\begin{pmatrix} a_{11} & a_{12} & \cdots & \text{?} \\ a_{21} & a_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = {\begin{pmatrix} p_{1} & p_{2} & \cdots & \text{?} & q_{1} & q_{2} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ p_{2} & p_{1} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & q_{1} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & {\text{?}\text{?}} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ r_{2} & r_{3} & \cdots & r_{1} & s_{1} & s_{2} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} \text{?} & Q_{1} \\ R_{1} & S_{1} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}$ each of p_(i), q_(i), s_(i), r_(i) is a column vector having the size υ, each of P₁, Q₁, R₁, S₁ is a circulant matrix of vectors, M_(OV,1) is a block circulant matrix of vectors ${\text{?} = {\begin{pmatrix} b_{11} & b_{12} & \cdots & \text{?} \\ b_{21} & b_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & q_{1} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & {\text{?}\text{?}} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ r_{2} & r_{3} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}},{\text{?}\text{indicates text missing or illegible when filed}}$ B₁ is block circulant matrix,

_(OV) ^((i)) for i=o₁+1, . . . , m is expressed as below ${\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix} = {{{\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}} = {{\begin{pmatrix} v^{T} & 0 & \cdots & 0 \\ 0 & v^{T} & \cdots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \cdots & v^{T} \end{pmatrix}\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ a_{21}^{\prime} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}} + {B_{2}\begin{pmatrix} \text{?} \\ \text{?} \\ \vdots \\ \text{?} \end{pmatrix}}}}},{\text{?}\text{indicates text missing or illegible when filed}}$ wherein, ${M_{{OV}\; 2} = {\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = {\begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & {\text{?}\text{?}} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} \text{?} & Q_{2} \\ R_{2} & S_{2} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}$ p′_(i), q′_(i), s′_(i), r′_(i) are column vectors each having the size (υ+o₁), each of P₂, Q₂, R₂, S₂ is a circulant matrix of vectors, M_(OV,2) is a block circulant matrix of vectors, $\begin{matrix} {{\text{?} = {\begin{pmatrix} V_{11} & V_{12} & \cdots & \text{?} \\ V_{21} & V_{22} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix} = \begin{pmatrix} \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \\ \text{?} & \text{?} & \cdots & \text{?} & {\text{?}\text{?}} & \text{?} & \cdots & \text{?} \\ \vdots & \vdots & \ddots & \vdots & \vdots & \vdots & \ddots & \vdots \\ \text{?} & \text{?} & \cdots & \text{?} & \text{?} & \text{?} & \cdots & \text{?} \end{pmatrix}}}{\text{?}\text{indicates text missing or illegible when filed}}} & \; \end{matrix}$ B₂ is a block circulant matrix, and m=o₁+o₂.
 17. The method of claim 16, wherein, when υ linear equations (L₁, . . . , L_(υ)) and υ variables (χ₁, . . . , x_(υ)) defined on the finite field are given,

_(V) ^((i)) for i=1, . . . , o₁ is expressed as below, $\mspace{79mu} {\begin{pmatrix} \mathcal{F}_{V}^{(1)} \\ \mathcal{F}_{V}^{(2)} \\ \cdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \text{?} & x_{1} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \text{?} & \text{?} & \text{?} & \text{?} \end{pmatrix} \cdot \begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}} = {\text{?}\begin{pmatrix} L_{1} \\ L_{2} \\ \cdots \\ \text{?} \end{pmatrix}}}}$ ?indicates text missing or illegible when filed wherein, M_(V) ¹ is a circulant matrix or a submatrix of a circulant matrix,

_(V) ^((i)) for i=o₁+1, . . . , m is expressed as below when linear equations (L′₁, . . . , L′_(υ+o) ₁ ) with υ+o₁ variables and υ+o₁ variables are given $\mspace{85mu} {{\begin{pmatrix} \text{?} \\ \text{?} \\ \cdots \\ \text{?} \end{pmatrix} = {{\begin{pmatrix} x_{1} & x_{2} & \cdots & \text{?} \\ \text{?} & x_{1} & \cdots & \text{?} \\ \cdots & \cdots & \cdots & \cdots \\ \text{?} & \text{?} & \text{?} & \text{?} \end{pmatrix} \cdot \begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}} = {\text{?}\begin{pmatrix} L_{1}^{\prime} \\ L_{2}^{\prime} \\ \cdots \\ \text{?} \end{pmatrix}}}},{\text{?}\text{indicates text missing or illegible when filed}}}$ wherein, M_(V) ² is a circulant matrix or a submatrix of a circulant matrix,

^((i)) for i=1, . . . , m is expressed as below, $\mspace{79mu} \left\{ {\begin{matrix} {{{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}},} \\ {{{\text{?}\left( {x_{1},\ldots \mspace{11mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}},} \end{matrix}\mspace{79mu} \left\{ {\begin{matrix} {{{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}},} \\ {{{\text{?}\left( {x_{1},\ldots \mspace{11mu},\text{?}} \right)} = {{\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + {\text{?}\left( {x_{1},\ldots \mspace{14mu},\text{?}} \right)} + \text{?}}},} \end{matrix}\text{?}\text{indicates text missing or illegible when filed}} \right.} \right.$ and m=o₁+o₂.
 18. A computer program that is stored in a storage medium for performing the method of generating a public key and a secret key of claim
 15. 19. An electronic signer comprising the key generator configured to perform the method of generating a public key and a secret key of claim 15, wherein the electronic signer further comprises: a signature generator configured to generate an electronic signature σ of a message M using the first affine map ({tilde over (S)}), the second affine map ({tilde over (T)}), the map (

), and the message M; and a signature verifier configured to verify the electronic signature σ using the message M, the electronic signature σ, and the public key (

=S∘

∘T), wherein the signature generator configured to calculate a hash message H(M) for the message M, calculate {tilde over (S)}(H(M))=ξ=(ξ₁, . . . , ξ_(m))∈

_(q) ^(m), calculate a solution (s=(s₁, . . . , s_(n))) of

(x)=ξ using

⁻¹(ξ)=s when ξ=(ξ₁, . . . , ξ_(m)) is given, and calculate {tilde over (T)}(s)=σ, the signature verifier configured to determine whether P(σ)=H(M), and verify the electronic signature σ according to a result of the determination, and H:{0, 1}*→

_(q) ^(m).
 20. The electronic signer of claim 19, wherein, when a matrix R given for randomization of the first affine map {tilde over (S)} in a product {tilde over (S)}·h of a vector h of

_(q) ^(m) and the first affine map ({tilde over (S)}) is a circulant matrix, the signature generator calculates {tilde over (S)}(H(M)) using an equation below {tilde over (S)}(H(M))=({tilde over (S)}+R)(H(M))−R(H(M)).
 21. The electronic signer of claim 19, wherein, when the matrix R given for randomization of the first affine map {tilde over (S)} in a product {tilde over (S)}·h of a vector h of

_(q) ^(m) and the first affine map ({tilde over (S)}) is a circulant matrix, the signature generator calculates {tilde over (S)}(H(M)) using an equation below {tilde over (S)}(H(M))=({tilde over (S)}·R ⁻¹ ·R)(H(M)). 